Tweet
Bookmark this on Delicious

PHP configuration for Apache - Prerequisites

The purpose of this Linux tutorial is to teach you how to configure PHP, and more generally how to configure PHP to work with an Apache server running on a Linux operating system (Ubuntu for instance).
Obvious prerequisites to this tutorial are:

• You have an Apache server installed on your Linux machine; if this is not the case, please learn how to install an Apache server on Linux
• You have PHP installed and working properly with your Apache server; if this is not the case, please learn how to install PHP on Apache

PHP configuration for Apache - Editing the PHP configuration file php.ini

First thing to do is to look for the php.ini configuration file. Oftentimes it will be in your main php-5.3.7 folder under the name php.ini-production (recommended PHP settings) or php.ini-development (note that at the time this tutorial was written, PHP 5.3.7 was the last current version available of PHP). What you want to do is open php.ini in your favorite text editor and customize it according to your needs. What we propose below is in no way exhaustive but pertains to the most important directives to turn on / off security-wise. For those other PHP directives that might interest you, don't hesitate to look at the standard PHP documentation for more in-depth PHP information.

Start by disabling some dangerous PHP options in php.ini:

• Disable dynamic module loading, which allows a PHP script to load a dynamic module, possibly a third-party PHP module which will then be able to run with PHP privileges. In particular, this PHP module will be able to circumvent the restrictions imposed by the PHP configuration. In order to disable this option:
  
  enable_dl = off
  
  Note that this option is by default set to off with php 5.3.7. Just make sure it really is !
• Prevent PHP from disclosing PHP information:
  
  disable functions = phpinfo
  expose_php = off
  
  In particular, this will prevent intruders from knowing your exact PHP version too easily.
• Disable register_globals:register_globals is probably one of the most dangerous PHP options when turned on. It allows the automatic registration of global variables from various content (registration occurs only if the variable was not set yet): information sent via the GET or POST methods, Cookie / Server / Other environment information ... For instance, http://www.example.com/index.php?name=john would automatically register the variable $name which will bet set to "john". Now note that this would allow anybody to automatically register a variable which was not already set in the PHP script by merely requesting index.php and simulating a GET request; of course, you have to turn off this PHP option:
  
  register_globals = off
  
  What is more, please note that as a general security rule, you must always initialize your PHP variables !
• Disable functions that permit PHP / Apache interaction: such insecure PHP functions include PHP functions allowing the retrieval of Apache configuration information or (even worse) the setting of Apache configuration. You can disable them:
  
  disable functions = apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual, dir, readfile, shell_exec, exec, passthru, proc_close, proc_get_status, proc_open, proc_terminate, system
• Turn off allow_url_open: allow_url_open alows you to access URLs like files, i.e. you will be able to include some PHP code from a distant URL by using the command include($url) where $url designates the URL of any webpage. Needless to say, this option is very dangerous and should be turned off at all costs:
  allow_url_open = off
  
  Note that the option allow_url_include requires allow_url_open to be turned on and thus does not need to be independently deactivated.
• Prevent PHP from writing to the syslog and forge Linux process names:
  
  disable_functions = openlog
  
• Use the open_basedir option in order to limit filesystem access: the open_basedir directive makes it easy to specify which folders your PHP scripts can access; for instance, the following configuration:
  
  openbasedir path/to/htdocs/
  
  will allow PHP to access your public folder only (i.e. if some external data is needed, PHP won't be able to access it; for that reason, please make sure what files PHP will really need to access prior to setting up the option open_basedir). Also, note that there are ways to circumvent open_basedir: this security option is not fullproof and you should just use it as what it is - an extra layer of security that will harden PHP.
  Remark: do not forget the trailing slash after htdocs, otherwise the option won't work.
• Control specific PHP limits over various parameters:
  
  max_execution time: sets the maximum total execution time by a PHP script
  max_input_time: sets the maximum time for a PHP script to process user input
  memory_limit : sets the maximum memory allocated to any PHP script execution; this option might help prevent resource abuse by poorly written PHP scripts
  post_max_size: this PHP option limits the size of a request via the POST method; this also limits the body size of requests made via other methods
  
• Disable file uploads if you don't need this PHP option, or restrict PHP uploads wisely:
  
  file_uploads = Off: turns off the PHP file uploading feature
  upload_max_filesize = 1M: limits file uploading at 1MB per file
  upload_tmp_dir = /path/to/upload/folder: defines the folder where files uploaded via the file_upload option are saved
  
• Run PHP in safe mode only: when running PHP in safe mode, you add up a layer of security to your PHP by restricting a lot of sensitive functions and asking PHP to run additional checks before execution. While you have no guarantee that you will be fully protected by running PHP in safe mode, you should turn this option on:
  
  safe_mode = on
• Make sure that session IDs cannot be accessed by anybody else than your Apache user: in our tutorial on how to install Apache from source, we have seen how to create a user with very restricted privileges (called Apache) and make it the owner of the httpd process. The idea here is to similarly grant user Apache exclusive access rights to the folder containing sessions information. You can find out in your php.ini file which folder is set to contain session IDs by searching for the option "session.save_path". You can set this PHP option according to your own preference (the key here will be to create a folder to which only the Apache user will have access):
  
  session.save_path = path/to/session_ids/folder
• Configure PHP logging: make sure PHP is logging every piece of information (errors and notices) by turning on error reporting and specifying that even PHP notices / PHP warnings must be logged; in addition, you must use error_log in order to configure where errors should be logged (the path to the PHP error log, that is)
  

In this tutorial we gave a quick look at how to configure PHP on your Apache server. While this PHP tutorial addresses important issues and should be enough to get you going, we advise you to read PHP documentation in details in order to configure your php.ini file as systematically as you can. Your next step towards a proper PHP installation will be to inquire further ways to secure PHP (you might be interested in the Hardened-PHP project, for instance).
What is more, you should keep in mind that PHP configuration is just one aspect of PHP security, the other being the quality of your PHP code (i.e. you must ascertain that you write safe code at all times).

Next tutorial: Installing MySQL on an Apache server


Back to computer forums

Copyright © 2011 MyComputerForum